When Acceptable Risk is Not Acceptable

Posted May 9th, 2007 by

Bottom Line Up Front: Even if on an organizational basis, the risk is acceptable, on a personal basis, there is no such thing as an acceptable risk.

We have these great Information Assurance frameworks. They’re scalable, modular, and they do work if you know what you are doing.

Then they all fall short in one thing: acceptable risk that is not acceptable. We teach people how to determine if a risk is acceptable. There are several formulas to use. It’s part of the CISSP CBK. At its heart, it’s a cost/benefit/risk comparison. Rationally, we know how to do this as an organization.

However, on a personal level, we live in a risk-avoidance, zero-defects society. To an individual, taking a risk means that you might have personal repercussions, and that is not acceptable. The end result is that we’re back to risk avoidance, which takes us back to the neolithic era of risk management.

So we’re stuck in this dual-standard security world with no end in sight. How do we fix it? I’m not sure, but somehow in order to have effective risk management, you need to establish a culture where it’s OK to fail occasionally.



Similar Posts:

Posted in Risk Management | No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: